Return-Path: 
 <users-return-243880-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 13DD61060C
	for <apmail-tomcat-users-archive@www.apache.org>;
 Mon, 30 Sep 2013 14:16:12 +0000 (UTC)
Received: (qmail 8659 invoked by uid 500); 30 Sep 2013 14:16:07 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 8534 invoked by uid 500); 30 Sep 2013 14:16:07 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 8525 invoked by uid 99); 30 Sep 2013 14:16:07 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Sep 2013 14:16:07 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of cedric.couralet@gmail.com
 designates 209.85.217.182 as permitted sender)
Received: from [209.85.217.182] (HELO mail-lb0-f182.google.com)
 (209.85.217.182)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Sep 2013 14:16:01 +0000
Received: by mail-lb0-f182.google.com with SMTP id c11so4689818lbj.27
        for <users@tomcat.apache.org>; Mon, 30 Sep 2013 07:15:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        bh=CRGQF8R16hQ9rmUZ6x1CzGqJKC1IdLZhckbRFsB/FcE=;
        b=i69K+hyokYVQYGUONWk6XCQPMfrKVOw3GAN95PmET30I9bvVo4vEpHpKVD1uPrQVk6
         BBvH4uxwEAUfXik8TOlwlrfWglqrNoIWpSMfz4CCBngVw9TSPr1y7cWpoN04sB2GwVo5
         FpoZlMhHyAPJvJ1ftoQt9JyfsktkXKx9lvoYtmO7gHNuvPDsXZy1pTps27o9EX0BwzeG
         2p2P1pOD2vhjqjlc1Tgl78KpRKAqdlm85ClO8TWv675X8l9/vyY912Kb8ZfUfBgzf4me
         BY+s58EUoel9q/FxnULMbCiF+gXTvAs8K7ipof5VX8H0I8qSDmXB8qbSF/qApBuI0hG8
         Z7mg==
MIME-Version: 1.0
X-Received: by 10.152.26.72 with SMTP id j8mr20237648lag.19.1380550541005;
 Mon, 30 Sep 2013 07:15:41 -0700 (PDT)
Received: by 10.112.202.65 with HTTP; Mon, 30 Sep 2013 07:15:40 -0700 (PDT)
In-Reply-To: <524985E5.8070208@christopherschultz.net>
References: 
 <CACcTOYmSsQzLb3a9rJGkK+-RK2dQ947N5BuP_BV7WvwmFr=_-A@mail.gmail.com>
	<260E16ED-D26E-4CD6-983C-CFE4E0BD1FD9@gopivotal.com>
	<52497877.9040909@ice-sa.com>
	<CACcTOYnP0=Of_CNLX_AL2RRS3Cv-P_9ZqXTh-1tHQO8iMgZEoA@mail.gmail.com>
	<52497F30.70202@ice-sa.com>
	<CAMwoAzc8AZYF+huvJA8t_0eXR_Ktdn5Y+6YwgsztQemyW-OdRw@mail.gmail.com>
	<524985E5.8070208@christopherschultz.net>
Date: Mon, 30 Sep 2013 16:15:40 +0200
Message-ID: 
 <CAMwoAzeaU7_L44huWuBFP=qVBGh_vmmHFh_i00u8Z8MCGEpZSw@mail.gmail.com>
Subject: Re: Apache HTTP + Tomcat + SSL
From: =?ISO-8859-1?Q?C=E9dric_Couralet?= <cedric.couralet@gmail.com>
To: Tomcat Users List <users@tomcat.apache.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Virus-Checked: Checked by ClamAV on apache.org

2013/9/30 Christopher Schultz <chris@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> C=E9dric,
>
> On 9/30/13 10:06 AM, C=E9dric Couralet wrote:
>> Hi,
>>
>> 2013/9/30 Andr=E9 Warnier <aw@ice-sa.com>:
>>> Hi.
>>>
>> [...]
>>> The question is now : why does that application require HTTPS ?
>>> An application usually doesn't care how it is accessed, except if
>>> some configuration of the application requires it to get some
>>> information from the SSL protocol (like a user certificate or
>>> so).  What does this application need ?
>>>
>>>
>>
>> I don't agree, the application should know how it is accessed, if
>> only because some pages may require SSL (all page under an
>> auth-constraint) and others not, and it should not be delegated to
>> apache but required at the tomcat level. I really think that saying
>> to an application  "do not care about SSL it is our problem"  will
>> lead to all sort of security incomprehension in the future.
>> Espcially when it is as easy as adding a valve in server.xml to do
>> so (as said by Daniel Mikusa), or if it is an option, configuring
>> AJP between tomcat and httpd, which then requires nothing on the
>> tomcat side.
>
> Some solutions require nothing on the Tomcat site (hint: mod_jk does
> all this auto-magically).
>

I didn't say otherwise (

>> "configuring
>> AJP between tomcat and httpd, which then requires nothing on the
>> tomcat side" )

I just reacted to the saying that an application could not care
whether it was accessed with SSL or not, I think the choice of https
over http is an application choice and it could be dangerous to say
that it is not important for an application to think about it.

I agree with all the rest, just that sentence which made me uneasy (in
lack of a better term ).

C=E9dric

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org